CVE-2022-37599
Description
A ReDoS vulnerability exists in webpack loader-utils v2.0.0 due to insufficient input sanitization in the interpolateName function, allowing attackers to cause a denial of service via crafted resourcePath strings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A ReDoS vulnerability exists in webpack loader-utils v2.0.0 due to insufficient input sanitization in the `interpolateName` function, allowing attackers to cause a denial of service via crafted resourcePath strings.
Vulnerability
Description CVE-2022-37599 is a Regular Expression Denial of Service (ReDoS) vulnerability found in webpack loader-utils version 2.0.0 [1]. The flaw resides in the interpolateName function within interpolateName.js [4]. The root cause is that the resourcePath variable is passed into a regular expression without proper sanitization, making it susceptible to catastrophic backtracking when an attacker supplies a specially crafted string.
Exploitation
To exploit this vulnerability, an attacker must be able to control the resourcePath input that is processed by the interpolateName function [2]. This is often achievable through webpack configuration or dynamic resource loading. No authentication is required if the attacker can influence the build process or resource naming. The weakness is triggered by feeding a maliciously constructed resourcePath that contains sequences forcing the regex engine to perform excessive backtracking [1].
Impact
Successful exploitation results in a denial of service condition. The affected component can become unresponsive or consume excessive CPU resources, potentially leading to application downtime or degraded performance. As this is a ReDoS vulnerability, the primary impact is on availability, though it can also affect the development or build pipeline if the vulnerable code is invoked during compilation.
Mitigation
The vulnerability is specific to loader-utils version 2.0.0. The repository has been archived and is now read-only [3]. Users should upgrade to a patched version or migrate to alternative loaders. No workaround is provided. The CVE has been published and acknowledged in the National Vulnerability Database [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
loader-utilsnpm | >= 1.0.0, < 1.4.2 | 1.4.2 |
loader-utilsnpm | >= 2.0.0, < 2.0.4 | 2.0.4 |
loader-utilsnpm | >= 3.0.0, < 3.2.1 | 3.2.1 |
Affected products
2- webpack/loader-utilsdescription
Patches
317cbf8fa8989fix: ReDoS problem (#226)
1 file changed · +1 −1
lib/interpolateName.js+1 −1 modified@@ -108,7 +108,7 @@ function interpolateName(loaderContext, name, options) { // `hash` and `contenthash` are same in `loader-utils` context // let's keep `hash` for backward compatibility .replace( - /\[(?:([^:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, + /\[(?:([^[:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, (all, hashType, digestType, maxLength) => getHashDigest(content, hashType, digestType, parseInt(maxLength, 10)) )
ac09944dfacdfix: ReDoS problem (#225)
1 file changed · +1 −1
lib/interpolateName.js+1 −1 modified@@ -108,7 +108,7 @@ function interpolateName(loaderContext, name, options) { // `hash` and `contenthash` are same in `loader-utils` context // let's keep `hash` for backward compatibility .replace( - /\[(?:([^:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, + /\[(?:([^[:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, (all, hashType, digestType, maxLength) => getHashDigest(content, hashType, digestType, parseInt(maxLength, 10)) )
d2d752d59629fix: ReDoS problem (#224)
2 files changed · +991 −897
lib/interpolateName.js+1 −1 modified@@ -76,7 +76,7 @@ function interpolateName(loaderContext, name, options = {}) { // `hash` and `contenthash` are same in `loader-utils` context // let's keep `hash` for backward compatibility .replace( - /\[(?:([^:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, + /\[(?:([^[:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, (all, hashType, digestType, maxLength) => getHashDigest(content, hashType, digestType, parseInt(maxLength, 10)) );
yarn.lock+990 −896 modified
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
14- github.com/advisories/GHSA-hhq3-ff78-jv3gghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2022-37599ghsaADVISORY
- github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.jsghsaWEB
- github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.jsghsaWEB
- github.com/webpack/loader-utils/commit/17cbf8fa8989c1cb45bdd2997aa524729475f1faghsaWEB
- github.com/webpack/loader-utils/commit/ac09944dfacd7c4497ef692894b09e63e09a5eebghsaWEB
- github.com/webpack/loader-utils/commit/d2d752d59629daee38f34b24307221349c490eb1ghsaWEB
- github.com/webpack/loader-utils/issues/211ghsaWEB
- github.com/webpack/loader-utils/issues/216ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZghsaWEB
News mentions
0No linked articles in our index yet.